Nasty Cloudflare bug leaked sensitive information for months

Cloudflare provides caching, proxy, and security services for thousands of web sites, including some very popular ones like digitalocean.com, patreon.com, bitpay.com, news.ycombinator.com, medium.com, 4chan.org, yelp.com, okcupid.com, zendesk.com, uber.com, 23andme.com, curse.com, and minecraftforum.net.

For about five months, starting in September 2016, a truly awful bug in Cloudflare’s services caused private information from sites hosted by Cloudflare to be leaked to unrelated systems. Since the leaked information was merrily crawled and stored by all the major search engines, all that data became available to the entire planet.

The leaked data includes just about everything you wouldn’t want leaked, such as encryption keys, cookies, passwords, private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, and hotel bookings.

My initial reaction to the news of this leak was relief, because I don’t use Cloudflare for any of my (or my clients’) web sites. But I use other web sites and services that use Cloudflare, so my private information may have been leaked. Almost anyone who uses the web actively could be affected by this bug, and its fallout.

The bug itself has been fixed by Cloudflare. The major search engines are working with Cloudflare to scrub related private information from their databases. But the damage has already been done.

What should you do?

If you run any web sites or services that use Cloudflare, you should take action immediately, by invalidating all user sessions (e.g. login cookies). How this is done depends on the platform you’re using (WordPress, Joomla, etc.) You should probably recommend to your members/subscribers that they change their passwords.

If you use any of the affected sites or services, you should probably change the associated passwords. This may turn out to be overkill, but it’s difficult to know for certain.

The full extent of the damage caused by this bug remains to be seen. In the worst case scenario, malicious hackers noticed the bug when it first appeared, and proceeded to gather leaked information for months.

References

Shockwave 12.2.7.197

Another new Shockwave version was released this week by Adobe. Once again, the official release notes page for Shockwave 12 only shows 12.2.7.197 as the current version, and provides no details. There was no announcement.

A couple of years ago, Adobe changed the way Flash functionality is built into Shockwave, presumably to beef up Shockwave’s security, which up to that point included older, vulnerable versions of Flash. So it’s possible that these barely-documented Shockwave updates exist primarily to synchronize Shockwave’s security with the current version of Flash.

As usual, if you use a web browser with Shockwave enabled, you should install the new version as soon as possible.

Microsoft releases update for Flash

Normally, Microsoft releases updates for Flash in Edge and Internet Explorer along with everything else on the second Tuesday of each month.

This month, something went wrong with the Windows Update system, and Microsoft pushed all the February updates to March, including an expected fix for a serious SMS flaw.

Someone at Microsoft apparently realized that this decision would leave some Flash users (those using Flash in Edge and Internet Explorer) vulnerable for an extra month. Flash vulnerabilities are targeted aggressively by malicious hackers, so this is obviously a bad thing. As a result, Microsoft has released a Flash update, one week later than originally planned.

Anyone who uses Flash in Internet Explorer or Edge should visit Windows Update and install the Flash update as soon as possible.

So we do get a Microsoft Security Bulletin Summary for February 2017 after all, but it only includes a single bulletin.

Shockwave 12.2.5.196

A new version of Shockwave appeared at some point in recent weeks. There was nothing like an announcement, and version 12.2.5.196 is barely mentioned on the official Shockwave release notes page. In fact, all we get is this: “Current Runtime Release Version: 12.2.5.196”.

Somewhere at Adobe, there’s at least one person who knows why Shockwave 12.2.5.196 was released. It would sure be handy if they said something about it.

If you use a web browser with Shockwave enabled, you should probably install the new version, because it may contain a security fix that Adobe just didn’t bother to mention.

Microsoft pushes February updates to March

In an unprecedented move, Microsoft has decided to delay all February updates until next Patch Tuesday, which is March 14. It’s still not clear exactly why this is happening, but Microsoft is working on structural changes to the Windows Update system, so presumably something went horribly wrong in testing.

This is bad news for anyone who runs a server that’s vulnerable to a recently-discovered SMB flaw that was expected to be fixed with Tuesday’s updates.

Update 2017Feb23: Meanwhile, Google’s Project Zero went ahead and published the details of another vulnerability that was supposed to be fixed this month. This was done in keeping with GPZ’s own policy, but as usual Microsoft isn’t happy about it.

Flash update fixes 13 vulnerabilities

A new version of Flash, released yesterday, addresses at least thirteen vulnerabilities in previous versions.

According to the security bulletin for Flash 24.0.0.221, the new version fixes “critical vulnerabilities that could potentially allow an attacker to take control of the affected system.”

The release notes for Flash 24.0.0.221 describe some new features that are likely only of interest to developers.

As usual, Internet Explorer and Edge will get new versions of their embedded Flash via Windows Update, while Chrome’s embedded Flash will be updated automatically.

Anyone who still uses a web browser with Flash enabled should update it as soon as possible.

Vivaldi 1.7

Apparently the people who develop Vivaldi believe that adding a screen capture feature to the browser is a good use of their time. Perhaps if you don’t use any other web browsers, and you only ever need to capture screenshots of web sites, and never of anything outside the browser, this would be a useful feature. The rest of us will use the much more powerful features of general-purpose screen capture tools like ShareX.

Aside from the arguably pointless addition of screen capture, Vivaldi 1.7 further improves audio handling, and includes tweaks for domain expansion in the address bar. More importantly, Vivaldi now warns users when they navigate to a non-encrypted page that prompts for a password.

You can see the complete list of changes for Vivaldi 1.7 in the official release announcement.

Opera 43

The folks who develop the alternative web browser Opera are working on improving page loading time, and if their own benchmarks are any indication, those efforts have paid off.

Opera 43 shows significant speed gains over Opera 42, due mainly to the introduction of two new technologies: ‘instant page loading’, which predicts the site you’re looking for as you’re typing in the address bar, and PGO, which optimizes the browser code to make it run faster when it’s most important.

The new version also includes improvements to URL highlighting/selecting. Previously, there was no way to highlight linked text. With Opera 43, highlighting linked text works as expected if you use a horizontal motion, and if you use a vertical motion, the entire link is copied, as before.

There are loads of other changes in Opera 43, as you can see from the lengthy change log. However, none of the changes seem to be related to security vulnerabilities.

News for me, stuff that matters… to me. Windows, Linux, security, tools & miscellany.